Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-74371

ipa-replica-install --setup-ca fails in FIPS mode

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Critical Critical
    • rhel-10.0
    • rhel-10.0
    • dogtag-pki
    • None
    • dogtag-pki-11.6.0-1.el10
    • Yes
    • Important
    • rhel-sst-idm-cs
    • ssg_idm
    • 0
    • Dev ack
    • False
    • Hide

      None

      Show
      None
    • No
    • None
    • Pass
    • Hide
      python3-idm-pki-11.6.0-1.el10.noarch
      idm-pki-base-11.6.0-1.el10.noarch
      idm-jss-5.6.0-1.el10.x86_64
      idm-ldapjdk-5.6.0-1.el10.noarch
      idm-jss-tomcat-5.6.0-1.el10.x86_64
      idm-pki-java-11.6.0-1.el10.noarch
      idm-pki-tools-11.6.0-1.el10.x86_64
      idm-pki-server-11.6.0-1.el10.noarch
      idm-pki-ca-11.6.0-1.el10.noarch
      idm-pki-kra-11.6.0-1.el10.noarch
      Show
      python3-idm-pki-11.6.0-1.el10.noarch idm-pki-base-11.6.0-1.el10.noarch idm-jss-5.6.0-1.el10.x86_64 idm-ldapjdk-5.6.0-1.el10.noarch idm-jss-tomcat-5.6.0-1.el10.x86_64 idm-pki-java-11.6.0-1.el10.noarch idm-pki-tools-11.6.0-1.el10.x86_64 idm-pki-server-11.6.0-1.el10.noarch idm-pki-ca-11.6.0-1.el10.noarch idm-pki-kra-11.6.0-1.el10.noarch
    • Automated
    • Unspecified Release Note Type - Unknown
    • All
    • None

      What were you trying to do that didn't work?

      Installation of an IdM replica with a CA clone fails in FIPS mode

      What is the impact of this issue to you?

      Since no CA clone can be installed, the CA role is deployed on a single node and is a single point of failure.

      Please provide the package NVR for which the bug is seen:

      idm-pki-server-11.6.0-0.2.alpha2.el10.noarch

      ipa-server-4.12.2-9.el10.x86_64

      How reproducible is this bug?:

      Always

      Steps to reproduce

      1. Install 2 machines in FIPS mode, set selinux permissive mode with "setenforce 0"
      2. Install the master with "ipa-server-install --domain ipa.test --realm IPA.TEST --setup-dns --forwarder 10.11.5.160 -a Secret123 -p Secret123 -U"
      3. Install the replica with a CA role with "ipa-replica-install --domain ipa.test --realm IPA.TEST --setup-ca --principal admin --password Secret123 -U --server server.ipa.test"

      Expected results

      Replica installation should succeed

      Actual results

      Replica installation fails:

         [7/35]: configuring certificate server instance
Failed to configure CA instance
See the installation logs and the following files/directories for more information:
  /var/log/pki/pki-tomcat
  [error] RuntimeError: CA configuration failed.
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.CA configuration failed.
The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information

       

      The file /var/log/ipareplica-install.log contains the following trace:

       FINE: Command: pkcs12-import --pkcs12 /tmp/ca.p12 --password-file /tmp/tmpo7x9by5f/password.txt --debug "caSigningCert cert-pki-ca" "ocspSigningCert cert-pki-ca" "auditSigningCert cert-pki-ca" "subsystemCert cert-pki-ca"
FINE: Module: pkcs12
FINE: Module: import
INFO: Initializing NSS
INFO: Logging into internal token
INFO: Using internal token
DEBUG: Command: certutil -L -d /var/lib/pki/pki-tomcat/conf/alias
ERROR: CalledProcessError: Command '['openssl', 'pkcs12', '-in', '/tmp/ca.p12', '-out', '/var/lib/pki/pki-tomcat/conf/alias/ca.crt', '-nodes', '-nokeys', '-passin', 'pass:XXXXXXXX']' returned non-zero exit status 1.

        1. ipareplica-install.log
          370 kB
        2. pki-ca-spawn.20250117051755.log
          39 kB

              rh-ee-mfargett Marco Fargetta
              frenaud@redhat.com Florence Renaud
              RHCS Maintenance RHCS Maintenance
              IdM CS QE IdM CS QE
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated: